Analysis of the HIPAA Omnibus (Final) Rule
Download
Report
Transcript Analysis of the HIPAA Omnibus (Final) Rule
April 19, 2013
1
© Bricker & Eckler LLP 2013
Karen Smith
Claire Turcotte
6189374v3
Introduction
Omnibus Rule Provisions for Discussion
2
Revisions to the Breach Notification Rule
Changes to Marketing, Fundraising, and Sale of PHI
Required Changes to the Content of the Notice of Privacy Practices
Enforcement
Business Associates and BA Agreements
Individual Access to PHI – Electronic Copies
Restrictions on the Disclosure of PHI to Payors
Additional Changes: PHI of Deceased Individuals, Disclosure of
Immunization Records to Schools, GINA
Conclusion
© Bricker & Eckler LLP 2013
3
Final HIPAA omnibus rule (“Omnibus Rule” or “Final
Rule”) released January 17, 2013, and published
January 25, 2013 (78 Fed. Reg. 5566)
Omnibus Rule implements regulations regarding
numerous aspects of the HITECH Act
Effective March 26, 2013. Compliance date for CEs
and BAs is September 23, 2013, for everything
(except grandfathered BAs)
Note: abbreviations CE, PHI, BA, used in slides for
efficiency, including in quotes from Omnibus Rule
© Bricker & Eckler LLP 2013
Karen Smith
4
© Bricker & Eckler LLP 2013
Definition of Breach
“Breach means the acquisition, access, use, or disclosure of PHI in a manner
not permitted under subpart E of this part which compromises the security or
privacy of the PHI”
“Except as provided in paragraph (1) of this definition, an acquisition, access,
use, or disclosure of PHI in a manner not permitted under subpart E is
presumed to be a breach unless the CE or BA, as applicable, demonstrates that
there is a low probability that the PHI has been compromised based on a risk
assessment of at least the following factors: … [see slide 6]”
5
Changes
Removal of Risk of Harm
Presumption of Breach
© Bricker & Eckler LLP 2013
Four Objective Factors
Nature and extent of the PHI involved
Unauthorized person who used the PHI or to whom the
disclosure was made
Whether the PHI was actually acquired or viewed
Extent to which the risk to the PHI has been mitigated
6
© Bricker & Eckler LLP 2013
The Final Rule adopted the three exceptions
found in the Interim Final Rule without modification
Unintentional acquisition, access or use of PHI
Inadvertent disclosure of PHI
Unauthorized disclosure without the ability to retain the
information
7
© Bricker & Eckler LLP 2013
The Final Rule adopts all of the notification
requirements with a minor change
Covered entities are now required to notify HHS of all
breaches affecting fewer than 500 individuals not later
than 60 days after the end of the calendar year in which
the breaches were discovered
8
© Bricker & Eckler LLP 2013
9
The Final Rule requires a covered entity to
perform a breach assessment if a limited data set
is used or disclosed in an impermissible manner
even if the limited data set excludes zip codes and
birth dates
© Bricker & Eckler LLP 2013
All covered entities must comply with the new
breach notification requirements by September 23,
2013
Update policies & procedures for reporting, analyzing
and documenting a possible breach
Train workforce members regarding revised policies &
procedures
10
© Bricker & Eckler LLP 2013
Claire Turcotte
11
© Bricker & Eckler LLP 2013
“Marketing” means: “To make a communication about a
product or service that encourages recipients to
purchase or use the product or service”
12
Final Rule requires authorization for all treatment and
health care operations communications where the CE
receives “financial remuneration” for making the
communications from a third party whose products or
services are being
The authorization must state that “financial remuneration
is involved (note: “financial remuneration” does not
include in-kind or non-financial benefits)
© Bricker & Eckler LLP 2013
Exceptions from “marketing” include:
If “financial remuneration” is reasonably related to the CE’s
cost of making the communication:
• Communications for refill reminders or about drugs or
biologics currently prescribed for the individual and generic
equivalents
• Communications reminding patients to adhere to instructions
about their currently prescribed medications
• Communications about drug delivery systems when an
individual is prescribed a self-administered drug or biologic
• Costs of labor, supplies and postage to make the
communication are “reasonably related” (e.g., drug
manufacturer can cover these costs)
13
© Bricker & Eckler LLP 2013
Exceptions from “marketing” (cont’d):
If the CE receives no “financial remuneration”:
• Communications about the CE’s own health-related
products and services
• Case management or care coordination
communications regarding alternative treatments,
therapies, health care providers, or settings of care
14
© Bricker & Eckler LLP 2013
15
Face-to-face communications (even if CE receives
“financial remuneration”); telephone is not face-to-face
Promotional gifts of nominal value
Communications promoting health in general that do not
promote a product or service from a particular provider
(e.g., promoting a healthy diet)
Communications about government and governmentsponsored programs
Communications that do not involve PHI (e.g., CE uses a
purchased mailing list not derived from PHI)
© Bricker & Eckler LLP 2013
16
The CE can use certain limited PHI for purposes of raising funds for its
own benefit
PHI limited to demographic information relating to an individual and
date of health care provided to an individual
Concern that limited set of permitted PHI restricts a CE’s ability to target
fundraising communications
Particular concern about ability to avoid inappropriate communications
to patients who may have had bad outcomes
© Bricker & Eckler LLP 2013
Expanded categories of PHI that can be used for fundraising
without authorization
If a CE meets specified conditions, it can use or disclose PHI
to a BA or an institutionally-related foundation for fundraising
without patient authorization including:
Demographic information (name, address, contact information,
age, gender, DOB)
Department of service (e.g., cardiology)
Treating physician
Outcome information (including death or sub-optimal outcome)
Health insurance status
17
© Bricker & Eckler LLP 2013
To use or disclose PHI for fundraising, the CE must:
Include in its NPP a statement that the CE may contact the
individual for fundraising and the individual has a right to
opt-out
If an individual does opt-out, their choice must be treated
as a revocation of authorization, which then prohibits the
CE from sending further fundraising communications
In each fundraising communication, provide a clear and
conspicuous opportunity for the individual to opt-out of
fundraising communications
18
© Bricker & Eckler LLP 2013
Ensure that the method to opt-out of fundraising
communications cannot cause the individual to incur
an undue burden or more than a nominal cost
Not condition treatment or payment on the individual’s
choice with respect to receipt of fundraising
communications
Not make fundraising communications to an individual
who has elected not to receive fundraising
communications
19
© Bricker & Eckler LLP 2013
CEs may provide individuals with a method to opt back in.
CEs can choose method to opt-out; suggestions include:
20
Toll-Free Numbers
E-mail address
Requiring return of preprinted postcard (not an “undue burden”)
But not requiring a written letter (is an “undue burden”)
Size of population to whom sending communications and
geographic distribution and other similar factors should be
considered in choosing an appropriate opt-out method
Making a donation after having opted out is not an
appropriate opt-in method; individual must make a
separate election to opt-in
© Bricker & Eckler LLP 2013
21
Covered Entities have discretion to determine the
scope of the opt-out
If a Covered Entity can track campaign-specific
opt-outs, it can use a campaign-specific opt-out
Covered Entities can permit individuals to elect
whether to opt-out of all fundraising
communications, or only for specific campaign(s)
Generally, communication must clearly inform the
individual of their options
© Bricker & Eckler LLP 2013
22
No direct or indirect receipt of remuneration in
exchange for receiving PHI, except if pursuant to
patient authorization meeting specified
requirements
Sale includes access, license, lease or transfer
of ownership of PHI
Remuneration includes both financial and in-kind
(unlike “marketing”)
© Bricker & Eckler LLP 2013
23
Public health purposes
Research purposes where only remuneration is a
reasonable cost-based fee to cover the costs of
preparation and transmittal of data
Treatment and payment purposes
Sale, transfer, merger or consolidation of all or part of
the Covered Entity (or related due diligence)
Services of a business associate (or subcontractor) at
the request of the Covered Entity and only payment is
for such services
© Bricker & Eckler LLP 2013
24
Providing an individual with access to his/her
own PHI
When required by law
Other purposes permitted by the Privacy Rule,
where remuneration received is a reasonable
cost-based fee to cover the costs of preparation
and transmittal or a fee otherwise expressly
permitted by law (e.g., disclosure of limited data
sets for permitted purposes)
© Bricker & Eckler LLP 2013
Claire Turcotte
25
© Bricker & Eckler LLP 2013
Additions to the NPP
Statement that the following uses and disclosures will be
made only with patient authorization:
• Uses and disclosures for marketing purposes
• Uses and disclosures for the sale of PHI
• Most uses and disclosures of psychotherapy notes
• Other uses and disclosures not described in the NPP
Right to a notice in the event of breach
Right to opt-out of fundraising communications
26
© Bricker & Eckler LLP 2013
Additions to the NPP – Providers Only
Right to restrict disclosures of PHI to health plans if
an individual has paid for services out-of-pocket, in
full, and the individual requests that the provider not
disclose PHI related solely to those services
27
© Bricker & Eckler LLP 2013
Additions to the NPP – Health Plans Only
Statement that the health plan is prohibited from using
or disclosing genetic information for underwriting
purposes
Exception for certain issuers of long-term care
policies
28
© Bricker & Eckler LLP 2013
Deletion from the NPP
Statement that the CE may contact the individual to
provide appointment reminders or information about
treatment alternatives or other health-related benefits or
services
• HHS notes that CEs may choose to leave this in the NPP
29
© Bricker & Eckler LLP 2013
Posting and Distribution of Revised NPP
HHS deems this to be a material revision of the NPP
All CEs must revise their NPP by September 23, 2013
Providers must make the revised NPP available to existing
patients upon request, post the revised NPP to their websites
(if applicable), and post the revised NPP in a prominent
location on the premises
New patients who receive services after modification of the
NPP must be provided with a copy of the revised NPP
Health Plans must either distribute the revised NPP within 60
days of the change (if they do not post the NPP to a website)
or post the NPP to their website and notify all members of the
changes in the next annual mailing
30
© Bricker & Eckler LLP 2013
Karen Smith
31
© Bricker & Eckler LLP 2013
Determination of Civil Monetary Penalties (CMPs)
Retains proposed rule’s CMP structure for violations
based on tiered levels of culpability
Violation Category
Did Not Know
Reasonable Cause
Willful Neglect Corrected
Willful Neglect – Not
Corrected
32
© Bricker & Eckler LLP 2013
Penalty for Each Maximum for All
Violation
Violations of an
Identical Provision in a
Calendar Year
$100-$50,000
$1,500,000
$1,000-$50,000
$1,500,000
$10,000-$50,000 $1,500,000
$50,000
$1,500,000
Determination of Civil Monetary Penalties (CMPs)
HHS will not impose maximum penalty in all cases
CMPs will be calculated on a case-by-case basis
depending on these factors:
• Nature and extent of violation
• Nature and extent of resulting harm
• History of non-compliance of the entity
HHS
will consider prior non-compliance even if there was no
formal finding of a violation
• Financial condition of the entity
33
© Bricker & Eckler LLP 2013
Affirmative Defenses
Prohibits imposition of penalties for any violation that is
corrected within 30 days, as long as the violation was
not due to willful neglect
Removes affirmative defense that covered entity did not
know and with exercise of reasonable diligence could
not have known of a violation (Now Tier 1 violation)
CMP may not be imposed if a criminal penalty has
already been imposed for the violation
34
© Bricker & Eckler LLP 2013
Investigations
HHS no longer has discretion as to whether to initiate an
investigation when its preliminary review indicates there
may be a violation due to willful neglect
HHS retains sole discretion to decide whether to initiate
an investigation or compliance review when its
preliminary review indicates there may be a violation
and the degree of culpability was less than willful neglect
HHS is no longer required to try to resolve violations by
informal means
35
© Bricker & Eckler LLP 2013
Liability for Business Associate “Agents”
Adopts proposal to make covered entities and business
associates liable for their business associates who are
their agents under federal agency law
Whether a business associate is considered an agent of
the CE will be a fact-specific determination
Labels used by the parties (e.g., “independent
contractor”) will not control whether an agency
relationship exists
Business associate may be an agent even when acting
in violation of a business associate agreement, if acting
for the benefit of the covered entity
36
© Bricker & Eckler LLP 2013
Claire Turcotte
37
© Bricker & Eckler LLP
HITECH introduced radical changes:
BAs directly subject to certain security standards and
the privacy requirements set forth in HITECH
administrative safeguards 45 CFR 164.308
physical safeguards 45 CFR 164.310
technical safeguards 45 CFR 164.312
policies, procedures and documentation requirements 45
CFR 164.316
BAs subject to requirements under Notice of Breach
rules
BAs subject to civil and criminal penalties same as
CEs
38
© Bricker & Eckler LLP 2013
Adopts HITECH changes and also makes new changes
for BAs:
Makes additional Security Rules applicable to Bas
Applies minimum necessary rule to BAs
Expands definition of “Business Associate” to include
subcontractors of BAs
Clarifies definition of BAs to include Patient Safety
Organizations, Health Information Exchanges,
Personal Health Records (or entities offering such
services on behalf of a CE)
Makes CEs liable for violations of BAs that are acting
as agents of the CEs
39
© Bricker & Eckler LLP 2013
40
Omnibus Rule revisions to specify BA’s permitted
and required uses and disclosures of PHI
BAs not subject to all Privacy Rule requirements.
BA not required to comply with Notice of Privacy
Practices requirement, for example
But Omnibus Rule revised Privacy Rule to require
BAs to comply with general rule on use/disclosure
of PHI
BAs can use or disclose PHI per the BA contract or
as permitted by the Privacy and Security Rule
© Bricker & Eckler LLP 2013
HHS commentary:
41
“BAs are directly liable under the HIPAA Rules for impermissible uses
and disclosures, for a failure to provide breach notification to the
covered entity, for a failure to provide access to a copy of electronic PHI
to either the CE, the individual, or the individual’s designee (whichever
is specified in the BAA), for a failure to disclose PHI where required by
the Secretary to investigate or determine the BA’s compliance with the
HIPAA Rules, for a failure to provide an accounting of disclosures, and
for a failure to comply with the requirements of the Security Rule. BAs
remain contractually liable for other requirements of the BAA…”
BA “becomes” a BA by definition, not by the act of
signing a BAA. BA liable under HIPAA upon acting as a
BA; not contingent on executed BAA
© Bricker & Eckler LLP 2013
Omnibus Rule expressly makes applicable to BAs:
“Minimum necessary applies. When using or disclosing protected
health information or when requesting protected health
information from another covered entity or business associate, a
covered entity or business associate must make reasonable
efforts to limit protected health information to the minimum
necessary to accomplish the intended purpose of the use,
disclosure, or request.”
Note: applies to BAs using or disclosing PHI and
disclosures by CEs to BAs and requests from BAs to
CEs. CEs should not disclose more PHI than
necessary to BAs; having BAA does not allow
unlimited exchange of PHI
42
© Bricker & Eckler LLP 2013
Omnibus Rule makes following additional provisions of the
Security Rule applicable to BAs:
45 CFR 164.306: Security Standards
“(a) General requirements. Covered entities and business associates must
do the following:
• Ensure the confidentiality, integrity, and availability of all electronic
protected health information the covered entity or business associate
creates, receives, maintains, or transmits
• Protect against any reasonably anticipated threats or hazards to the
security or integrity of such information
• Protect against any reasonably anticipated uses or disclosures of such
information that are not permitted or required under subpart E of this part
• Ensure compliance with this subpart by its workforce”
45 CFR 164.314: Organizational Requirements
Business Associate contract requirements
43
© Bricker & Eckler LLP 2013
Omnibus Rule adds language to the definition of “Business
Associate” to clarify that Patient Safety Organizations,
Health Information Exchanges, and Personal Health
Records, (or entities offering these services) are BAs
45 CFR 160.103:
“(1) [Business associate means] a person who (i) On behalf of
[the CE] creates, receives, maintains, or transmits [PHI] for …
patient safety activities listed at 42 CFR 3.20 …
(3) [Business associate includes: (i) A Health Information
Organization, E-prescribing Gateway, or other person that
provides data transmission services with respect to [PHI] to a
[CE] and that requires access on a routine basis to such [PHI].
(ii) A person that offers a personal health record to one or more
individuals on behalf of a [CE] …”
44
© Bricker & Eckler LLP 2013
45
Omnibus Rule expands the definition of “Business
Associate” to include subcontractors of BAs who create,
receive, maintain or transmit PHI from the BA
Subcontractors are persons to whom a BA has
delegated a function, activity, or service the BA has
agreed to perform for a CE or BA and where that
function, activity, or service involves the creation, receipt,
maintenance, or transmission of PHI
Can have multiple downstream subcontractors
BA must have a BA Agreement with each subcontractor,
and subcontractors must have BA Agreements with its
subcontractor BAs
© Bricker & Eckler LLP 2013
Subcontractors BA Agreements:
Not required for CE to have BAA with subcontractors
of the CE’s BAs
BAA between BA and subcontractor may not permit
subcontractor to use/disclose PHI in manner not
permitted by the BA. Each BAA in a chain, from CE
to BA to subcontractors, must be as stringent or more
than the last
Compliance date for having these in place is
September 23, 2013; subject to extension for
grandfathered agreements, see slide 21
46
© Bricker & Eckler LLP 2013
You will need to revise your BAAs because:
Additional provisions of Security Rules are now applicable to
BAs
Minimum necessary rule now applicable to BAs
Definition of “breach” has changed. If the BAA defines breach or
outlines assessment of what is a breach, this is not likely to
comply with Omnibus Rule requirements
While old BAAs usually said “BA must ensure subcontractor
agrees to the same restrictions,” you will want to make clear that
this means BA must enter into a BAA with subcontractors
Consider adding indemnification of CE by BA for BA and its
subcontractors’ compliance with Privacy and Security Rule
requirements
47
© Bricker & Eckler LLP 2013
Compliance date:
September 23, 2013
Extended compliance date for grandfathered BAAs:
September 23, 2014
If the BAA was in place before January 25, 2013, and
complied with the then-current rules, and it is not renewed
or modified on or after March 26, 2013
Applies to agreements between BAs and subcontractors,
but note must have had written agreement that complied
with 45 CFR 164.314(a) and 45 CFR 164.504(e)
48
© Bricker & Eckler LLP 2013
Claire Turcotte
49
© Bricker & Eckler LLP
50
Individuals may request and CEs must now
provide an individual with a copy of their PHI
that is maintained by the CE as electronic PHI
in a designated record set, in the electronic
form and format requested by the individual if
such format is readily producible
If the requested format is not readily
producible, the CE must offer to produce the
electronic PHI in at least one readable
electronic format
If the individual declines all available electronic
formats, provide a hard copy
© Bricker & Eckler LLP 2013
51
CEs do not need to purchase new software or
hardware to accommodate requests for various
types of formats; however, they must be able to
provide some form of readable electronic copy
For CEs with medical records in mixed media
(i.e., some paper and some electronic PHI), the
CE may provide a combination of electronic and
hard copies to the individual
Records maintained in hard copy do not need to
be scanned
© Bricker & Eckler LLP 2013
A CE is not required to use an individual’s flash
drive or other device to transfer the electronic PHI
if the CE has security concerns regarding the
external portable media
If an individual requests to receive the electronic
copy via unencrypted email and secure email is
unavailable, the CE may decide whether or not to
send the electronic copy via unencrypted email
However, if unencrypted email is used, the CE must
advise the individual of the risk that the information
could be read by a third party
52
© Bricker & Eckler LLP 2013
53
If requested by an individual, a CE must transmit
the electronic copy directly to another person
designated by the individual
HHS clarified that CEs may rely on information
provided by the individual regarding the
third-party recipient, but they must implement
policies and procedures to verify the identity of any
person requesting PHI and implement reasonable
safeguards to protect the information disclosed
© Bricker & Eckler LLP 2013
CEs may charge reasonable cost-based fees to
individuals for providing access to PHI, including
providing a copy in electronic format, including
labor costs,
supplies for creating electronic media (e.g., discs, flash
drives) if the individual requests the copy on portable
media, and
postage
54
BA system maintenance, storage cost, new
terminology, retrieval fees not permitted
© Bricker & Eckler LLP 2013
55
Under the state law preemption provisions of
HIPAA, a state law imposing lower costs limits
would apply. Conversely, if state law permits
higher costs, then the lower HIPAA limits would
apply
© Bricker & Eckler LLP 2013
56
The Final Rule decreases the total time CEs have
to respond to requests for access from 90 to 60
days (by removing the provision allowing an
additional 30 days if PHI is not maintained on-site)
CEs may provide the individual written notice of a
one-time extension of up to 30 days, including the
reason for the delay and the expected date of
completion
© Bricker & Eckler LLP 2013
Karen Smith
57
© Bricker & Eckler LLP
The general rule is that a CE is not required to
accept restrictions on the use and disclosure of PHI
Final Rule created an exception, and requires a CE
to agree to a restriction if:
the disclosure is for the purpose of carrying out
payment or health care operations and is not
otherwise required by law; and
the PHI pertains solely to a health care item or service
for which the individual, or person other than the
health plan on behalf of the individual, has paid the
CE in full
58
© Bricker & Eckler LLP 2013
59
CEs are not required to create separate medical
records or otherwise segregate PHI subject to a
restriction
CEs will need to flag restricted PHI or make a
notation in the record that the PHI has been
restricted
CEs are not required to abide by a restriction if an
individual’s payment is dishonored, but they must
make a reasonable effort to contact the individual
and obtain payment prior to billing a health plan
© Bricker & Eckler LLP 2013
60
The Final Rule limits the time period that PHI of
deceased individuals must be protected to 50 years
This is not a record retention requirement
A covered entity may disclose a deceased
individual's PHI to family members and others who
were involved in the care or payment for care of the
individual prior to death, unless the disclosure is
inconsistent with any prior expressed preference of
the individual
© Bricker & Eckler LLP 2013
The Final Rule permits a CE to disclose proof of
immunization to a school if the school is required by law to
have such information prior to admitting the student
Written authorization will no longer be required
CEs are required to obtain written or oral agreement from a
parent or guardian and document the agreement
A signature is not required
An email from the parent, or a notation of a phone call in the
child’s medical record or elsewhere would suffice as
documentation
61
© Bricker & Eckler LLP 2013
Adopts the definition of “genetic information” from Genetic
Information Nondiscrimination Act of 2008 (GINA), which
includes:
The individual’s genetic tests
Genetic tests of family members
Family medical history
62
Clarifies that tests such as HIV tests, blood counts,
cholesterol or liver function tests, or tests to detect the
presence of alcohol or drugs, are not genetic information
Defines genetic information to include information about a
fetus or embryo
Specifically excludes age and sex from the definition of
genetic information
© Bricker & Eckler LLP 2013
Prohibits the use of genetic information for underwriting
“Underwriting,” includes the following:
the determination of eligibility and enrollment
premium or contribution amounts, including reduced cost
sharing amounts or rewards under a wellness program
the application of any pre-existing condition exclusion
other activities related to the creation, renewal or replacement of
a contract of health benefits
63
The use of genetic information is permitted when an
individual is seeking a particular benefit and the genetic
information is needed to determine the medical
appropriateness of providing the benefit
© Bricker & Eckler LLP 2013
The prohibition on using genetic information for
underwriting under GINA is expanded to include all
entities included in the definition of “health plan,”
except for long term care plans
e.g. Medicare, Medicaid, high risk pools, excepted benefits
such as dental and vision
64
The prohibition does not apply to providers
The prohibition applies to all genetic information from
the compliance date of the Final Rule forward,
regardless of when or where the genetic information
originated
© Bricker & Eckler LLP 2013
Compliance Date
CEs must be in compliance with the
Final Rule by September 23, 2013
(with exception of grandfathered BA
Agreements)
This means your policies and procedures,
BA Agreements and NPPs must be revised
by September 23, 2013
65
© Bricker & Eckler LLP 2013
Resources
HIPAA Regulations:
www.bricker.com/hipaa
eAlerts:
www.incomplianceconsulting.com/services/hipaa-alerts
On-line Compliance Program:
www.bricker.com/hipaa
www.incomplianceconsulting.com/services/hipaa-consulting-services
66
© Bricker & Eckler LLP 2013
Karen Smith
[email protected]
614.227.2313
Claire Turcotte
[email protected]
513.870.6573
67
© Bricker & Eckler LLP 2013
6189374v3